Allow loose match for interfaces names in masq, nat and netmap

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8079 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-01-19 23:36:27 +00:00
parent 44f8dc96cc
commit e2e827cdbc
9 changed files with 110 additions and 28 deletions

View File

@ -12,6 +12,8 @@ Changes in 4.1.4
5) Allow interface lists in the masq and nat files.
6) Allow loose match of interface names used in masq, nat and netmap.
Changes in 4.1.3
1) Fix NFLOG/ULOG upcasing problem.

View File

@ -138,6 +138,22 @@ Other changes in Shorewall 4.1.4.
206.124.146.178 eth0 192.168.1.3
206.124.146.178 wlan0 192.168.1.3
4) Previously, the INTERFACE name used in the masq, nat and netmap
files had to exactly match the name of an interface from the
interfaces file. Beginning with Shorewall-perl 4.1.4, the
interface may loosely match a wildcard entry in the interfaces
file.
Example:
/etc/shorewall/interfaces:
vpn tun+
/etc/shorewall/masq:
tun1 192.168.4.0/24
Migration Issues.
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero

View File

@ -196,7 +196,12 @@ sub setup_one_masq($$$$$$$)
$rule .= "-m realm --realm $realm ";
}
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) {
$rule .= "-o $interface ";
$interface = $interfaceref->{name};
}
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
@ -368,6 +373,16 @@ sub do_one_nat( $$$$$ )
my $policyin = '';
my $policyout = '';
my $rulein = '';
my $ruleout = '';
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) {
$rulein = "-i $interface ";
$ruleout = "-o $interface ";
$interface = $interfaceref->{name};
}
if ( $capabilities{POLICY_MATCH} ) {
$policyin = ' -m policy --pol none --dir in';
@ -391,8 +406,8 @@ sub do_one_nat( $$$$$ )
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
} else {
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
}
add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat;
@ -449,20 +464,32 @@ sub setup_netmap() {
while ( read_a_line ) {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
for my $interface ( split /,/, $interfacelist ) {
my $rulein = '';
my $ruleout = '';
my $iface = $interface;
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
unless ( $interfaceref->{root} ) {
$rulein = "-i $interface ";
$ruleout = "-o $interface ";
$interface = $interfaceref->{name};
}
if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) {
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
} else {
fatal_error "Invalid type ($type)";
}
progress_message " Network $net1 on $interface mapped to $net2 ($type)";
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
}
}
}

View File

@ -121,7 +121,8 @@ our %reservedName = ( all => 1,
#
# @interfaces lists the interface names in the order that they appear in the interfaces file.
#
# %interfaces { <interface1> => { root => <name without trailing '+'>
# %interfaces { <interface1> => { name => <name of interface>
# root => <name without trailing '+'>
# options => { <option1> = <val1> ,
# ...
# }
@ -643,6 +644,8 @@ sub validate_interfaces_file( $ )
$interfaces{$interface}{bridge} = $interface;
}
$interfaces{$interface}{name} = $interface;
my $wildcard = 0;
if ( $interface =~ /\+$/ ) {
@ -772,19 +775,19 @@ sub validate_interfaces_file( $ )
sub known_interface($)
{
my $interface = $_[0];
my $interfaceref = $interfaces{$interface};
return 1 if $interfaces{$interface};
return $interfaceref if $interfaceref;
for my $i ( @interfaces ) {
my $interfaceref = $interfaces{$i};
$interfaceref = $interfaces{$i};
my $val = $interfaceref->{root};
next if $val eq $i;
if ( substr( $interface, 0, length $val ) eq $val ) {
#
# Cache this result for future reference
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
#
$interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} };
return 1;
return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i };
}
}

View File

@ -227,7 +227,7 @@ setup_masq()
build_exclusion_chain newchain nat "$nomasq" "$destnets"
if [ -n "$networks" ]; then
for s in $networks; do
for s in $(separate_list networks); do
addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
done
networks=
@ -261,7 +261,7 @@ __EOF__
build_exclusion_chain newchain nat $nomasq
if [ -n "$networks" ]; then
for s in $networks; do
for s in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
done
@ -388,7 +388,7 @@ __EOF__
fi
if [ -n "$networks" ]; then
for network in $networks; do
for network in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
done

View File

@ -59,6 +59,18 @@
the only use for the alias name; it may not appear in any other
place in your Shorewall configuratio</emphasis>n.</para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP

View File

@ -73,6 +73,18 @@
cannot use it anwhere else in your Shorewall configuration.
</emphasis></para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Prior to Shorewall 4.1.4,
<replaceable>interfacelist</replaceable> must be a single interface
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may

View File

@ -66,7 +66,16 @@
<listitem>
<para>The name of a network interface. The interface must be defined
in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
</listitem>
</varlistentry>

View File

@ -684,9 +684,10 @@
<para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para>
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
addresses are allowed; no FQDNs or subnet addresses are
permitted.</para>
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted. In no case may a network be specified as the
server.</para>
<para>3. You may not specify both an interface and an
address.</para>